Why your game console or home VoIP PBX won’t work with OPNsense or pfSense, and how to fix it

If you have been using a standard router and decide to upgrade to OPNsense or pfSense (I personally recommend OPNsense, solely because of the heavy-handed moderation in the pfSense user forum, where a user can apparently get banned for life for even a small inadvertent infraction), you may find that making a game console or a VoIP PBX work isn’t as simple as just forwarding some ports. The other thing you have to do is shown in this video:

Although the video specifically mentions the PS4 and XBOX, the advice shown is equally valid for other types of game consoles and for home PBX servers. Note the section starting at 3:20 in the video, where the “Static Port” checkbox is checked – this is the key to making it work!

The OPNsense user interface will look a bit different than the one in pfSense but the principle is the same; you still need to make sure the “Static Port” checkbox is checked. And in either case, you may still need to do port forwarding, the same as you did on your previous router, but generally speaking port forwarding alone will not work until the additional configuration shown in the video is applied. Here’s an example of setting up a static port rule in OPNsense (note that the source address field refers to a previously-set alias for the IP address of the Asterisk PBX):
VoIP PBX users, there is one other thing you may need to do, at least in OPNsense, particularly if you find that you have a non-local extension that is unable to connect to your PBX. If you are using a Dynamic DNS address, make sure you go to System: Settings: Administration and put that dynamic DNS address in the “Alternate Hostnames” field.

2 thoughts on “Why your game console or home VoIP PBX won’t work with OPNsense or pfSense, and how to fix it”

This is a great article, but only works with one console. Most off the shelf routers can easily achieve this with little or know setup. The reason most of us end up trying opnsense or pfsense is because we can’t get out “off the shelf” router to do something we need. Now most will do just about any day to day task theses day, like port forwarding, UPNP, NAS storage, and even server network setups. Where consumers start to need something more is when we have more than one device needing to connect or operate in the same manner as other devices on the same network. off the self routers allow us to NAT one device or one network, but what about more that one over the same network? This is the present gaming problem at hand. This is why many are trying opn, or pf, but the documentation is just not there to configure these network setups. There is plenty on what you just addressed, vpns, monitoring, and simple business networks. But very little regarding new network problems at hand including but not limited too… Gaming (2 consoles at one time), routing more than one LAN with multiple WAN interfaces, and IPV6 internal static setups. We need clear and detailed tutorials that salve theses problems and they need to be where people can find them.

Well I’m going to out on a limb a bit here and say that this may not be an OPNsense issue, because you can do the procedure shown in the video for each console on your network, since each will be at a different local IP address and you specify that in the configuration. Where you may run into problems is if the gaming console wants specific ports forwarded to it exclusively, because any given port can normally only be set up to forward to a single console. In an ideal world you would not need to forward ports to a game console, but my understanding is that if you don’t you lose some capabilities, such as maybe multiplayer chat. So ideally the console makers would give you a range of ports you could use instead of a single port, so that you could assign one port out of that range to each console, but as far as I know they don’t do that.

Unfortunately I’m out of my depth here because I am not a gamer, so I only know about this from having to deal with it in the case of a VoIP PBX, and on those you can configure the ports that the PBX receives traffic on (for example the standard SIP port is 5060, but that can be changed) but then again few people would ever operate more than one VoIP PBX on their local network. So my suggestion to you would be to go into the OPNsense forum and post there, asking if there is a way to use two or more of the same make and model game console on the same local network. If you are lucky you will get a response that you can understand and that is actually helpful. No guarantees, but it may be worth a try.

As for needing clear and detailed tutorials, the problem with programs like OPNsense and MANY similar programs is that the developers tend to lose sight of the fact that many of their users are inexperienced and do not have any prior knowledge to build off of. So when they write documentation, they write it in a way that is perfectly understandable to them, but maybe not to very many others and particularly not to new users. I have a theory that developers should not write their own documentation; they should get some new users with no prior experience to do it, or at least to revise their first draft. My theory is that if that new user can understand the program then they will (hopefully) write documentation that other new users can understand. Unfortunately that means that the developer(s) would essentially have to personally mentor the new users until they understand the software well enough to write good user-friendly documentation, which means the developer(s) would likely get a lot of questions about things that seem perfectly obvious to them, and that they may never be able to explain well enough that new users can understand. And many developers just don’t have the patience for that. But this is why the documentation for some software is so bad from the perspective of regular users – many programmers seem almost genetically incapable of writing documentation at a level that can be easily understood by new users.

I will just note that the reason some users try something like OPNsense is because most off the shelf routers don’t get regular firmware updates, particularly after they get to be several months or a couple of years old, and therefore many known vulnerabilities may remain unpatched. You can mitigate this somewhat by using third-party router firmware such as DD-WRT or similar software, but that only works if the router allows the use of third-party firmware AND the user is comfortable installing it AND the version of that firmware for that router is regularly updated. In contrast, while OPNsense can’t be installed as third-party firmware on most off-the-shelf routers, when used with compatible hardware (typically something resembling a small form factor PC) it receives regular updates, typically every other week or thereabouts, and possibly sooner if a really nasty vulnerability is discovered. So as long as OPNsense is maintained, you can probably continue to run it on the same hardware for many years, and you will not have to worry about running archaic software/firmware that leaves your router and your network somewhat unprotected.

Finally, the problem with IPv6 from my perspective is it has never been documented well enough to allow users to build effective firewalls. I think the whole philosophy of IPv6 is that every device on the internet should have its own IP address, and while that would solve your gaming console issue (I think), it would make it much harder to keep the bad guys out of your local network. A lot of “network professionals” seem to think that the sooner we all go to IPv6 exclusively the better, but they fail to realize that it took people two or three decades to understand IPv4 well enough to have effective firewalls, and with IPv6 most users barely know it exists, let alone how to protect their networks so that anyone on the internet can’t connect to their internal devices. Plus, most of us have a lot of equipment that’s IPv4-aware only, so there’s that. So in short, I agree with your last sentence and have been saying similar things for years, but many developers seem deaf to such pleadings from users.